How to secure your applications from the ground up
Business demands mean that application development has now become a continuous cycle. Making applications secure by design and maintaining their security over time means working with the same continual and cyclical approach we take to software development. In this article, we will explore how organizations can ensure that their applications are resilient against cyber threats.
The shift left isn’t a one-off
Rapid and iterative software development cycles mean frequent changes to application code. The old model of “shifting security to the left” would still apply if application development were a linear timeline – design, build, test, run. But the CI/CD pipeline has turned this timeline into a continual cycle in which developers redesign, rebuild, test and redeploy, with each successive code release.
This cycle is accelerating too; 57% of developers report releasing code twice as quickly compared to before, while 19% say it is released 10X as fast.
But change introduces risk. The latest version of an application could release new code with untested security vulnerabilities that cyber attackers can exploit. Meanwhile, the median time it takes an organization to patch a vulnerability in a web application is 49 days. This results in a window of opportunity for attackers to exploit that vulnerable application and use it as a stepping stone in a cyber attack.
Developing secure applications therefore is an ongoing process that involves spotting vulnerabilities and fixing them continually. It is not a one-off action, but rather requires developers to continually test and improve their applications to weed out security flaws with each successive code release.
To do this successfully, we’ve identified three key pillars to better application security:
- Conduct threat modelling exercises during the design phase to narrow down the risks applications are likely to face
- Train developers to spot security vulnerabilities, write more secure code and implement DevSecOps processes
- Test applications on a continual basis to spot and fix vulnerabilities when they arise in each successive code release
This list is not exhaustive, but it is the most effective starting point for better application security because it addresses potential security gaps throughout the lifespan of the application. With that in mind, let’s look at each solution and where they should come in the application development lifecycle.
Threat modelling: getting ahead of the problem
Threat modelling is an exercise designed to outline security vulnerabilities in application. The aim of the exercise is to predict the attack types that a threat actor is likely to conduct in order to select appropriate protective measures for your application. Typically this involves first defining the security requirements for the application, then creating an application diagram that will help visualize system components, data flows, and security boundaries. The next step is to identify potential security vulnerabilities which attackers might exploit, before finally finding security remediations for such threats.
Training developers to spot flaws and write secure code
Making applications secure by design means ensuring security is intertwined with every feature and function. The risks of not doing so are evident in attackers’ changing behaviors: in 2022, 25% of breaches involved attacks on web applications. In most cases, an attack on a web application is just one step in a larger attack chain.
Developers find unpacking, processing, and fixing vulnerabilities in code that has already been released a time-consuming struggle. When they are found late in the SDLC, rewriting the foundations often means rewriting all the code that is built on top.
DevSecOps makes security a standard and necessary part of the software development process. Code reviews can be automated with a variety of open-source scripts and tools to uncover security vulnerabilities. Implementing a DevSecOps methodology helps foster collaboration between developers and security teams so that developers can quickly identify and patch vulnerabilities in their code. If done well, this will result in more secure applications, without causing delays in development.
Equally, developers can educate themselves to think like an attacker in order to write code that is secure by design. Sources such as the OWASP Top 10 list the most common vulnerabilities in web applications which attackers will likely target. By understanding how attackers identify and exploit these vulnerabilities, developers can write application code that is secure right down to its foundations.
While security is becoming a larger part of their day jobs, developers are not trained to spot security vulnerabilities and write secure code as standard, forcing them to seek specialized training courses. Those who do are empowered with best practices, tools, and techniques for secure application development, and play a key role in reducing their organization’s risk of a cyber attack.
Test continuously to match your CI/CD pipeline
Using penetration testing to uncover security vulnerabilities in applications is effective, but it often occurs late in the software development lifecycle when flaws in code are difficult and time-consuming to fix. There are two problems with relying on penetration testing for applications:
- Penetration testing only presents a snapshot of security vulnerabilities at a single point in time; as soon as new code is deployed, the results of a penetration test are out of date. They may remain valid if the same vulnerabilities are unfixed, but are incomplete if new security flaws have since been introduced.
- Moreover, the cost of penetration testing makes it difficult to scale across large application estates, and too expensive to repeat frequently, with each new code deployment.
Claranet Continuous Security Testing provides a new solution to this problem. It combines automated scanning tools that run 24/7, with targeted manual penetration testing, so you can spot and fix vulnerabilities as they arise. First, all findings are verified and evaluated. Then, expert penetration testers conduct further manual testing to uncover complex vulnerabilities that automated scanners can't detect.
Continuous Security Testing provides fast, but detailed feedback to developers and security teams on vulnerabilities present in applications, web-facing assets, APIs and external infrastructure. If Continuous Security Testing is used to test your pre-production or staging environment, it enables developers and security teams to catch and fix vulnerabilities before the code reaches the production environment, even with a rapid CI/CD pipeline. By employing a “little and often” approach, the work of vulnerability management and securing applications becomes bitesize.
As part of Continuous Security Testing, Claranet provides free re-testing of the applications which are in scope, to ensure that developers’ remediations have been successful.
Organizations use Continuous Security Testing to:
- Detect vulnerabilities faster, so they can remediate them sooner
- Shorten the window of opportunity for attackers
- Reduce their team’s workload for securing applications, by taking a little and often approach
- Prioritize their efforts, so they can remediate the greatest risks first
A consistent approach
As more developers incorporate security into their coding, securing applications will eventually become second nature, rather than an afterthought. For now, the need for specialized training courses remains. We hope that the profession as a whole will acknowledge and celebrate its crucial role in maintaining organizations’ security posture, and more developers will diversify their skillset to make “secure by design” the minimum acceptable standard, rather than the gold standard.
At the team-level, the insistence on a continual and iterative approach to securing applications (whether you call it DevSecOps or something else) is paramount; we must co-opt security into the modern SDLC. By weeding out flaws in each code release, organizations can maintain the security of their applications (and other web-facing assets), and close down a popular, and fast-growing avenue of attack for threat actors.
To find out more about how developer training, threat modelling and Continuous Security Testing can improve the security of your web applications, get in touch.